Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account or sign in via Google or Microsoft OAuth, we collect your name, email address, and profile information provided by the identity provider. We do not receive or store your identity provider password.

1.2 Usage Data

We collect information about how you interact with the Service, including features accessed, actions performed, timestamps, IP addresses, browser type, and device information. This data is used for security monitoring, audit compliance, and service improvement.

1.3 Document Content

When you use the Service to process patent applications, office actions, or other intellectual property documents, the content of those documents is processed by our systems. Document content is used solely to provide the requested service functionality and is never used to train machine learning models.

1.4 Template Properties

You may store default values for document template placeholders (e.g., firm name, attorney name, contact information). These values are associated with your user account and used to populate document templates.

2. How We Use Your Information

• To provide, operate, and maintain the Service
• To authenticate your identity and manage your account
• To process and generate documents at your request
• To populate template placeholders with your stored values
• To monitor for unauthorized access and ensure security
• To maintain audit logs as required by SOC 2, GDPR, ABA Model Rules, and applicable regulations
• To respond to support requests and communicate with you
• To send transactional and service-related emails (e.g., security alerts, billing notices, material policy changes)
• To comply with legal obligations

We do not use your personal data for behavioral advertising. If we send any optional product or marketing communications, they will be sent only with your consent, and you may unsubscribe at any time using the link in any such email or by emailing [email protected].

3. Legal Basis for Processing (EU/UK Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, our processing of your personal data is based on one or more of the following legal bases under Article 6(1) of the GDPR:

• Performance of a contract (Article 6(1)(b)): Creating and operating your account, processing documents at your request, providing support, and billing.
• Legitimate interests (Article 6(1)(f)): Security monitoring, fraud and abuse prevention, service improvement, and limited technical analytics. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms.
• Compliance with legal obligations (Article 6(1)(c)): Audit log retention, tax and accounting records, and responses to lawful requests.
• Consent (Article 6(1)(a)): Where you have explicitly opted in (for example, to optional analytics cookies or marketing communications). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Data Storage and Security

Your data is stored in encrypted form using AES-256 encryption at rest and TLS 1.2+ encryption in transit. We use Amazon Web Services (AWS) infrastructure located in the United States. Access to production systems is restricted to authorized personnel using multi-factor authentication.

Audit logs are retained according to a tiered schedule: 90 days in active storage, 1 year in warm archival (with personally identifiable information pseudonymized), and up to 7 years in cold archival (with PII removed) as required by applicable legal retention obligations.

Despite our security measures, no method of transmission or storage is completely secure. If a security breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and any required supervisory authority within the timeframes required by applicable law.

5. AI and Machine Learning

The Service uses third-party large language models (LLMs) to assist with document analysis and generation. We guarantee that:

• No customer data is used to train, fine-tune, or improve any AI model
• Document content sent to LLM providers is processed under data processing agreements that prohibit training use
• AI-generated outputs are presented for human review and are not automatically filed or submitted

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

• Service providers (sub-processors): Cloud infrastructure (AWS), AI model providers (under DPA), and email delivery services, solely to operate the Service. A current list of our sub-processors is available at onetwelve.ai/subprocessors. We will update that list when sub-processors change and provide reasonable notice of new sub-processors with access to personal data.
• Your organization: If you use the Service through an organization account, your organization administrator may access your usage data and template properties.
• Legal requirements: When required by law, subpoena, court order, or to protect our rights or the safety of others. Where permitted, we will inform you before disclosing your data in response to a legal request.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your data in a portable, machine-readable format
• Object to or restrict certain processing activities
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

Right to lodge a complaint: If you believe our processing of your personal data is inconsistent with applicable data protection laws, you have the right to lodge a complaint with your local supervisory authority — for example, your national data protection authority in the EU/EEA, or the UK Information Commissioner’s Office.

8. Microsoft Word Add-in

The OneTwelve AI Word Add-in operates within Microsoft Word and accesses the content of the active document with your permission. The Add-in:

• Only reads document content when you actively use a feature that requires it
• Does not access other documents, files, or data on your device
• Communicates only with OneTwelve AI servers over encrypted HTTPS connections
• Requires ReadWriteDocument permission to insert generated content at your direction
• Does not collect telemetry beyond what is described in this policy

9. Cookies and Local Storage

9.1 What are cookies?

Cookies are small text files that a website stores on your device. Session cookies last only while your browser is open and are deleted when you close it. Persistent cookies remain until they expire or you delete them. Similar technologies such as local storage and session storage are treated the same way in this policy.

9.2 How we use cookies and local storage

• Strictly necessary: httpOnly session cookies authenticate your session and protect against cross-site request forgery. These cannot be disabled if you wish to use the Service.
• Functional: The Word Add-in uses browser local storage to maintain your session and OAuth tokens between uses.
• Security: We may use cookies to detect abusive traffic and protect against brute-force and bot activity.

9.3 What we do not use

We do not use third-party advertising cookies, tracking pixels, social media retargeting, or behavioral advertising on the Service. We do not place analytics cookies that profile you across other websites.

9.4 Controlling cookies

You can accept or refuse cookies through your browser settings. Blocking strictly necessary cookies may prevent you from signing in or using core parts of the Service. Where we offer optional cookies, we will ask for your consent before setting them and you may withdraw that consent at any time.

10. Data Retention

We retain your account information for the duration of your account. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., audit logs subject to legal hold).

11. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected personal information from a person under 18 without verified parental consent, we will delete it.

12. International Data Transfers

Your data is processed and stored in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms. A copy of the relevant safeguards is available on request.

13. Business Transfers

If OneTwelve is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you (for example, via a message to the email address associated with your account) of any such transaction and outline your choices regarding your information.

14. Notice for California Residents (CCPA)

If you are a California resident, the CCPA grants you the rights described in Section 7 above, as well as the following:

• Right to know: The categories and specific pieces of personal information we have collected about you, the sources we collected it from, the purposes for collecting it, and the categories of third parties we share it with.
• Right to delete: Request deletion of your personal information, subject to legal retention requirements.
• Right to correct: Request correction of inaccurate personal information we hold about you.
• Right to opt out of sale or sharing: We do not sell your personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but you may contact us to confirm.
• Right to non-discrimination: You will not receive discriminatory treatment for exercising any of your CCPA rights.

To exercise any of these rights, email [email protected]. We will verify your identity before responding. You may also designate an authorized agent to make a request on your behalf, subject to verification.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last Updated” date. For material changes, we will provide at least 30 days’ notice before the changes take effect, either via in-app notification or email to the address associated with your account. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: